if what you are saying is that the Raspberry PI cannot, on its ethernet port, handle vlan tagged traffic, you are correct, there is no way to accomplish the goal. I believe versions pi4 and pi5, are very capable of handling vlan traffic on the ethernet port so its just a trunk port to on eth1 from the hapmini and eth0 on the pi. One question, does any part of the raspberry pi configuration (or functionality) require to have a vlanwan address>. If so then three vlans………
Otherwise, I believe you just need the pi to be able to reach the dumb switch devices etc. in which case the hapmini gets you there by default via NAT to the ISP router flat lan and return traffic is done automatically.
What you cannot do is originate traffic on the flat ISP LAN aka from a device and reach anything behind the HAPmini, unless your ISP router is capable of static routes.
As I see it everything in your left side (blue) is your "Homelan". (No VLAN needed)
Then center (orange) is your "IOTlan" on a given VLAN (but it could be also a different subnet, setting the hAP as router, you will have double NAT, but it won't do any harm for (slowish) IoT devices).
Then right (green) is your raspberryPi that could as well be on its own VLAN or on a different subnet, but also (simpler) on the same subnet as the orange devices.
Ports on Mikrotik devices are generally numbered from 1, do the hAP mini should have ether1, ether2 and ether3 besides wlan1.
Without VLANs and IMHO the simplest setup:
ether1 is WAN (relative to orange and green subnets) and has an address in your "Homelan" (for the sake of the example 192.168.1.254/24)
ether2 and wlan1 are assembled into a bridge, running (optionally) a DHCP server on network (still say) 192.168.88.0/24 this bridge is LAN
ether3 can be added to the bridge above (if raspberry Pi can stay on same subnet) or left self-standing and have (if needed) an own DHCP server (or client) - though personally I would make a /30 connection with 192.168.99.1/30 assigned to the hAP mini and 192.168.99.2/30 assigned to the RaspberryPI
It makes little sense (to me) to go VLAN if you have devices (the ISP router and the unmanaged switch) that do not support them.
thanks for the reply!
it’s a pi4, so I’ll research a bit, I didn’t realize I could have the port on the raspi to be tagged.
as for the raspi funcionality:
Currently I have it on the HomeLAN acting as PiHole and Wireguard server
I want to have it manage IoT devices (in addition the current functions), so this was the only way I could think of having it connected to both networks.
The other doubt I’m having is with bridging the whole thing. Are my VLANs on the same bridge? (sorry if dumb, my background is electronics and automation)
Ah, well if it is for learning/experimenting, that's good , I was only objecting to the "needed", many people like to use VLANs whenever they can, but they do add (IMHO) a layer of complexity that in many cases is not "needed".
Why should it be impossible?
You can make a route for it on the hAP mini.
Set aside the wlan/wifi part, you can use a simulator like GNS3 to make experiments without disrupting your existing network.
haha don’t worry I didn’t take it in a bad way
I was thinking it’s impossible because in your example the first port of the hAPmini would not be part of the bridge?
thanks for the suggestion of GNS3 will take a look (yeeey another rabbit hole! )
As I stated, the only reason to need a third vlan ( for incoming flat network LANIP, also the WANIP of the hap ) is if the pi needed an address on that subnet. Since that doesnt seem to be the case you only need two vlans.
Loosely, GNS3 is a (royal) PITA to setup (and have it work correctly).
It has some ways of working (and settings) that are either mis- or non- documented properly and that feel like completely alien, with "queer" behaviours depending on the underlying VM you are using (VmWare or Virtualbox) and/or with the OS it is running in.
BUT, once you manage to have it installed and working, it is addictive.
One underlying issue is the routing table for "HomeLAN" is controlled by the ISP router, so if you add a new subnet for IoTLAN, it won't be accessible to HomeLAN. Maybe that's what's desired, IDK.
I think it be good to know the desired flows, well before getting to GNS3... Like do you want the IoTWAN to be accessible from HomeLAN? Does the IoTLAN need internet access? What options do you have on the ISP router to control routing table and/or DHCP server?
VLAN may be part of the answer. But it's not the whole story. And the fact were downstream of the router, adds some complexity to the traditional "VLAN your network" case.
Let's call it two subnets‡. And we agree, there not a "third vlan".
Also, the RPi is the odd-ball here. OP say needs access to both IoTLAN and HomeLAN, but what type of access is the question. Does it just need to be allow routing to IoTLAN, or does the RPi need to on the physical LAN segements (e.g. for ethernet/Layer-2 discovery)? And answer to last question control whether the RPi itself needs to be VLAN aware, or it just to needs to use the hAP as the default gateway.
‡ You could do this with two bridges, just the same. Or, with vlan-filtering=yes, it could be native/untagged is HomeLAN and IoTLAN as VLAN (or vise versa). Or, both are VLAN tagged on ingress to hAP, so two VLANs there.
So let’s imagine this other topology, where I connect a wifi dongle to the raspi and now I have 2 network interfaces, one for each network (home and IoT):
Devices from HomeLAN (including the raspi) have internet access through the ISP router.
I can setup a wireguard VPN from another location to my raspberry without issue.
Raspi has access to Home devices through ethernet.
Raspi has access to IoT devices through the wifi dongle.
IoT devices don’t/can’t communicate with Home devices.
hAPmini setup with WAN on eth0 so IoT devices get access to internet.
hAPmini is DHCP server for IoT devices.
In this scenario no need for VLANs, everything is pretty flat (if I’m not missing some consideration).
So if we take this as the “desired functionality”, then imagine we can’t have the wifi dongle and we need to move the raspi on a port of the hAPmini (let’s say switch is full and we can’t expand for a bigger one)
Thanks to everyone!
Edit:
Membership in networks (I hope it clarifies something haha):
The raspberry pi can do vlans, no problem. you need to install the vlan package on the Raspberry Pi. Then depending on whether you are running bullseye (old), bookworm or trixie, you will configure differently.
I don't see a good reason to use wifi dongle on the Raspberry Pi, it would be better to use a vlan connection to the hAP mini, but you will then need to configure the hAP mini with the vlans, and it will require using software so it will not be a high performance solution. But for IoT devices, may be good enough. It would probably still be better than using wifi.
Hi everybody!
I don’t know how many times I had to netinstall my poor router, but I think I managed to setup a basic VLAN filtering hahaha
So now more specific questions.
What I got now: (i know there is no “eth0” but i’ll keep with this notation to be consistent with my previous pictures):
I made a bridge (vlan_bridge) and added my 3 ethernet ports and my wlan to my vlan_bridge, and I assigned a corresponding PVID to each of them (for the untagged ports)
In Interfaces\VLAN: I created 3 VLANs and assigned them to vlan_bridge:
VLAN10_WAN
VLAN20_HOME
VLAN30_IoT
In Bridge\VLANs: I assigned each VLAN to the ports:
VLAN10, VLAN20 and VLAN30: tagged to the vlan_bridge
VLAN10 untagged to eth0 (WAN)
VLAN20 tagged to eth1 (raspi)
VLAN30 tagged to eth1 (raspi) and untagged to eth2 and wlan1 (IoT)
In Bridge\Bridge: I enabled “VLAN Filtering” and “Ingress filtering” to “Admit only VLAN tagged”
I setup a DHCP Client on VLAN10_WAN.
I setup a DHCP Server on VLAN30_IoT.
What I’m not able to accomplish:
WAN doesn’t seem to be working, I have setup NAT as “chain:srcnat \ Out.Interface:VLAN10_WAN \ action:masquerade” but it doesn’t seem to be working
I need eth0 (WAN) to be both WAN for the IoT network and LAN for Home network.
I need VLAN20_HOME to get DHCP assignments from the port eth0.
Thanks everybody!
P.S: I know I’m running a very heavy limitation because of the 10/100 ethernet ports, but as I said this is mostly for educational purposes haha
You need to tell us how things are connected (which topology are you using, is the raspberrry pi connected to dumb switch or to hap mini? There should be advantages to connecting to the dumb switch if the dumb switch is 1Gb, and your raspberrry pi is a 3b+ or better a Raspberry pi 4 or 5. Especially if the raspberry pi is doing other things.
, I was only objecting to the "needed", many people like to use VLANs whenever they can, but they do add (IMHO) a layer of complexity that in many cases is not "needed".
)
- you should post your configuration, instructions here: